Secure CRUD SharePoint rest apis - sharepoint

Is it possible to secure SharePoint rest APIs?
I have a SharePoint portal that allows users to create accounts an get access to the portal.
The portal uses SharePoint client object model, if any of the users try to access let's say getuserbyid method or retrieving items for lists and changes the ID value, he will be able to retrieve information for other users on the portal.
So it is possible or is their any way to restrict access to the rest APIs outside the portal itself? Because with manipulation using Fiddler or burp suite the request can be replayed with different information or values.

The operations performed by the Client Side Object Model respect the SharePoint site permissions in the SharePoint site you are interacting with. You need to set/customize the site permissions such that you get the results that you want.

Related

How to obtain ACLs for different sharepoint sites

Using the graph API or sharepoint REST APIs, is there a way to obtain, for each site, the list of users/o365 groups that are allowed read access to the site?
We are able to obtain the list of sites using the graph API GET /sites?search=* but cannot find a way to get the list of users allowed to access each site (except for Sharepoint team sites associates with o365 groups that we can enumerate using GET /groups/{group-id}/sites API call.
We are building a server side application so need to do this from the server using application-level permissions, and not from the client.
Pointers for how to do this are greatly appreciated!
Looks like there is no such endpoint that gets the site permissions and there are few uservoices here that are close to your scenario. Please upvote them so that it could be developed by the product team in future.

What permissions are required to call /_api/hubsites and get results?

We are trying to use the SharePoint REST API to retrieve the list of hubs a user has access to. When I, as a SharePoint admin call the api (https://[tenant].sharepoint.com/_api/hubsites) I get the list of hubs correctly. However when anyone else calls the api they get a empty response. They have contribute rights to the SharePoint home site as well as the Hub and all connected sites.
Thanks
Based on Microsoft Documentation , this RESTful service should be "callable" by any user with read permission to the site.
Gets information about all hub sites that the current user can access.
Are you sure those users do have access to Hub sites? Can you share the empty responses you gerfrom those users calls?

How do I get started from reading SharePoint list information from outside of SharePoint?

We have a SharePoint subscription and an Azure subscription. I want to make a web app that is hosted in Azure, but the database for the app would basically be SharePoint lists. I'm looking up documentation on how to do this, but I'm just finding how to make "web parts" and they keep assuming I want to build my website inside SharePoint rather than outside.
How do I access a user's SharePoint lists from outside of SharePoint?
The easy part is the request for data. Use the SharePoint REST API. The harder part is authentication. How is the Azure app related to the SharePoint app? Same user login?
A sample REST call for select columns from a list:
https://yourDoamin/sites/yourSite/_api/web/lists/getbytitle('My List')/items?$select=Title,Price,Qty
The REST API also support filtering and sorting along with insert, update and delete.
A filter example:
https://yourDoamin/sites/yourSite/_api/web/lists/getbytitle('My List')/items?$select=Title,Price,Qty&$filter=Title eq 'Toys'
If you would like to experiment with the REST API from your SharePoint site, I have "REST tester" you can add to a Content Editor Web Part.
https://github.com/microsmith/SharePointRESTtester

Security Query for the Users ina SharePoint Site

I am updating a SharePoint 2007 solution to SharePoint 2013. The solution creates a list of permissions for each site in a site collection. In SharePoint 2007 I used SOAP to query the ROLE object and got back the Groups and Users security objects for a site. In SharePoint 2013 ROLE and SOAP is deprecated. I am trying to use the REST API to recreate the solution. I am able to get the groups object for each site, but I am unable to find the way to get the Users security object for the sites. I can get Site Users for the site collection and get the Users in a SharePoint Group, but I find no way to get the Users Security Object for a site. Has anyone been able to accomplish get the Users for a site?
Sample REST api to check user permission for site.
You need encode the URL from(suppose your use default NTLM authentication)
/_api/web/getusereffectivepermissions(#user)?#user='i:0#.w|contoso\userb'
TO
/_api/web/getusereffectivepermissions(#user)?#user='i%3A0%23.w%7Ccontoso%5Cuserb'
About the return value, check below thread.
http://www.lifeonplanetgroove.com/checking-user-permissions-from-the-sharepoint-2013-rest-api/?doing_wp_cron=1449727796.2080190181732177734375

How to retrieve data from SharePoint?

I have a web application. When the user clicks on a button in my web application, I'd like to retrieve data from SharePoint on behalf of the user. I have read quite a few articles on SharePoint but I'm still not sure how to proceed. Should I create a provider hosted SharePoint App and use the SharePointREST API? Thank you in advance for your help.
You don't need to create a Provider to use the SharePoint Rest Services.
Quoting http://msdn.microsoft.com/en-us/library/office/jj164022(v=office.15).aspx :
One advantage of using REST is that you don’t have to add references to any SharePoint 2013 libraries or client assemblies. Instead, you make HTTP requests to the appropriate endpoints to retrieve or update SharePoint entities, such as webs, lists, and list items. See Get started with the SharePoint 2013 REST service for a thorough introduction to the SharePoint 2013 REST interface and its architecture.
Inside the page you will find videos and code examples that will help you to connect and execute operations.
It's Correct. Data in SharePoint is Stored in Lists or Libraries (to files).
You can use the Client Object Model, to get data remotely from a SharePoint Server (on-premise or Online). The Client Object Model can be used through Assemblies (DLL files) or REST services provided by SharePoint. Generally you should know the location of the data you are going to get, that is, as I initially mentioned, the data in SharePoint are stored in Lists or Libraries, therefore you must know the name of the List or Library Additional Site or Sub-site of the List or Library is.
If the name of the list where the information is stored is "employees" and the HR website, the URL could be formed as follows:
http://spserver.company.com/HR/Employees
For REST services, simply complete URL of the list you want to see, so that you retrieve the information from the list. If you want to apply filters, sorting, to retrieve specific columns, you must do it through CAML queries which the add on REST service call.

Resources